<!--
  This file is a part of the open-eBackup project.
  This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0.
  If a copy of the MPL was not distributed with this file, You can obtain one at
  http://mozilla.org/MPL/2.0/.
  
  Copyright (c) [2024] Huawei Technologies Co.,Ltd.
  
  THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
  EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
  MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
  -->


<!DOCTYPE html
  PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="zh-cn" xml:lang="zh-cn">
<head>
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
   
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="DC.Type" content="topic">
<meta name="DC.Title" content="步骤2：（可选）创建IPsec策略">
<meta name="product" content="">
<meta name="DC.Relation" scheme="URI" content="nas_s_0035_0.html">
<meta name="prodname" content="">
<meta name="version" content="">
<meta name="brand" content="30-OceanProtect 备份一体机 1.5.0-1.6.0 帮助中心">
<meta name="DC.Publisher" content="20240320">
<meta name="prodname" content="csbs">
<meta name="documenttype" content="usermanual">
<meta name="DC.Format" content="XHTML">
<meta name="DC.Identifier" content="nas_s_0038_0">
<meta name="DC.Language" content="zh-cn">
<link rel="stylesheet" type="text/css" href="public_sys-resources/commonltr.css">
<title>步骤2：（可选）创建IPsec策略</title>
</head>
<body style="clear:both; padding-left:10px; padding-top:5px; padding-right:5px; padding-bottom:5px"><a name="nas_s_0038_0"></a><a name="nas_s_0038_0"></a>

<h1 class="topictitle1">步骤2：（可选）创建IPsec策略</h1>
<div><p id="nas_s_0038_0__zh-cn_topic_0000001792344098_p618831644613">在开启复制链路加密开关前，需在复制链路两端存储设备为复制网络逻辑端口创建IPsec策略。创建IPsec策略后，远程复制过程中会对传输数据进行加密，确保数据安全性。当为复制网络逻辑端口创建IPsec策略时，复制链路两端存储设备均需执行以下操作。</p>
<div class="section" id="nas_s_0038_0__zh-cn_topic_0000001792344098_section387343573110"><h4 class="sectiontitle">前提条件</h4><ul id="nas_s_0038_0__zh-cn_topic_0000001792344098_ul1614193821113"><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_li17141338161114">复制网络为IP网络时，才支持创建IPsec策略。</li><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_li17586815116">复制网络IP地址为IPv4时，才支持创建IPsec策略。</li><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_li82609552112">复制网络逻辑端口创建在跨卡绑定端口时，不支持创建IPsec策略。</li><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_li169781538433">仅SmartIO接口模块（10Gbit/s）接口模块才支持配置IPsec策略。</li></ul>
</div>
<div class="section" id="nas_s_0038_0__zh-cn_topic_0000001792344098_section135599911160"><h4 class="sectiontitle">操作步骤</h4><ol id="nas_s_0038_0__zh-cn_topic_0000001792344098_ol65154559312"><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_li1996019356521"><span>查看复制链路两端待开启IPsec策略的复制网络逻辑端口的最大传输单元（MTU，Maximum Transmission Unit）是否小于交换机端口的最大传输单元。</span><p><div class="notice" id="nas_s_0038_0__zh-cn_topic_0000001792344098_note440019564200"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-zh-cn.png"> </span><div class="noticebody"><p id="nas_s_0038_0__zh-cn_topic_0000001792344098_p17400656152015">为确保创建IPsec策略后能正常添加远端设备，请确保复制链路两端复制网络逻辑端口MTU小于交换机端口MTU。</p>
</div></div>
<ol type="a" id="nas_s_0038_0__zh-cn_topic_0000001792344098_ol758275814538"><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_li189170183419">分别登录主端和从端存储系统的DeviceManager管理界面。<ul id="nas_s_0038_0__zh-cn_topic_0000001792344098_zh-cn_topic_0000001839223165_ul1899151343111"><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_zh-cn_topic_0000001839223165_li19991413113118">对于OceanProtect X系列备份一体机，请执行以下操作：<ol class="substepthirdol" id="nas_s_0038_0__zh-cn_topic_0000001792344098_zh-cn_topic_0000001839223165_ol5625945183219"><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_zh-cn_topic_0000001839223165_li84033442337">选择“系统 &gt; 基础设施 &gt; 集群管理”。</li><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_zh-cn_topic_0000001839223165_li938315412338">在“备份集群”页签的“本地集群节点”区域，单击节点名称。</li><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_zh-cn_topic_0000001839223165_li9647100173410">在弹出的“节点详情”界面，单击“打开设备管理”，进入DeviceManager管理界面。</li></ol>
</li><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_zh-cn_topic_0000001839223165_li15921125623118">对于OceanProtect E1000（备份存储为OceanProtect），登录备份存储设备的DeviceManager管理界面，具体操作请参见<a href="zh-cn_topic_0000001913343113.html">登录DeviceManager管理界面</a>。</li></ul>
</li><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_li671572511177">选择“服务 &gt; 网络 &gt; 逻辑端口”。</li><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_li1539303115353"><a name="nas_s_0038_0__zh-cn_topic_0000001792344098_li1539303115353"></a><a name="zh-cn_topic_0000001792344098_li1539303115353"></a>筛选“角色”为“复制”的逻辑端口，获取“当前端口”的值。</li><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_li108045246421">在左侧菜单栏，选择“以太网络”。</li><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_li1060916465317">根据<a href="#nas_s_0038_0__zh-cn_topic_0000001792344098_li1539303115353">1.c</a>获取的值，在“位置”列筛选对应的以太网端口，并查看该端口“最大传输单元(字节)”的值。<ul id="nas_s_0038_0__zh-cn_topic_0000001792344098_ul1460121235411"><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_li460712155417">如果所有复制网络逻辑端口MTU小于交换机端口MTU，且差值大于等于100字节，则执行<a href="#nas_s_0038_0__zh-cn_topic_0000001792344098_li0209128194">2</a>。</li><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_li1763193310">否则，请修改复制网络逻辑端口MTU。<ol class="substepthirdol" id="nas_s_0038_0__zh-cn_topic_0000001792344098_ol14600961242"><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_li156001861547">单击以太网端口的名称。</li><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_li176001467416">在弹出的详情页面右上角，查看单击“操作 &gt; 修改”，在“最大传输单元(字节)”中输入修改后的值。<div class="note" id="nas_s_0038_0__zh-cn_topic_0000001792344098_note741641619229"><img src="public_sys-resources/note_3.0-zh-cn.png"><span class="notetitle"> </span><div class="notebody"><p id="nas_s_0038_0__zh-cn_topic_0000001792344098_p39231595260">复制网络逻辑端口MTU的取值范围为[1280, 交换机端口MTU-100]。例如：</p>
<p id="nas_s_0038_0__zh-cn_topic_0000001792344098_p8875175142319">交换机端口MTU为1500字节，则复制网络逻辑端口MTU的取值范围为[1280, 1400]，推荐设置为1300字节。</p>
</div></div>
</li><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_li67381812162113">单击“确定”。</li></ol>
</li></ul>
</li></ol>
</p></li><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_li0209128194"><a name="nas_s_0038_0__zh-cn_topic_0000001792344098_li0209128194"></a><a name="zh-cn_topic_0000001792344098_li0209128194"></a><span>切换接口模块的安全类型为IPsec。</span><p><ol type="a" id="nas_s_0038_0__zh-cn_topic_0000001792344098_ol1788419251018"><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_zh-cn_topic_0145458794_zh-cn_topic_0127771727_li24773389">选择“系统 &gt; 硬件 &gt; 设备”。</li><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_li20556718142213">单击需要切换安全类型的接口模块所在的控制框。</li><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_zh-cn_topic_0145458825_zh-cn_topic_0127772045_li39598310">单击<span><img id="nas_s_0038_0__zh-cn_topic_0000001792344098_image15291154112015" src="zh-cn_image_0000001839223225.png"></span>，切换到存储设备的后视图。</li><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_zh-cn_topic_0145458825_zh-cn_topic_0127772045_li53346567">单击需要切换安全类型的接口模块。</li><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_li361555923412">在弹出的接口模块页面选择“操作 &gt; 切换安全类型”。</li><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_li1062520132616">选择安全类型<span class="uicontrol" id="nas_s_0038_0__zh-cn_topic_0000001792344098_uicontrol1672122310119">“IPsec”</span>。<p id="nas_s_0038_0__zh-cn_topic_0000001792344098_p1912565416127">安全类型为“IPsec”时，该接口模块上所有端口的TOE功能关闭且无法单独进行开启。</p>
</li><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_li397216280297">按照界面提示完成确认操作。</li></ol>
</p></li><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_li1341392475617"><span>为复制网络逻辑端口创建IPsec策略。</span><p><ol type="a" id="nas_s_0038_0__zh-cn_topic_0000001792344098_ol92021645165616"><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_li2515195513112">选择“服务 &gt; 网络 &gt; 逻辑端口”。</li><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_li7584122818912">选择需要创建IPsec策略的复制网络逻辑端口，单击“管理IPsec策略”。</li><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_li11351258994">单击<span class="uicontrol" id="nas_s_0038_0__zh-cn_topic_0000001792344098_uicontrol1664625018236">“创建”</span>，创建IPsec策略。<p id="nas_s_0038_0__zh-cn_topic_0000001792344098_p69242292100">相关参数说明如<a href="#nas_s_0038_0__zh-cn_topic_0000001792344098_table1688015148293">表1</a>所示。</p>

<div class="tablenoborder"><a name="nas_s_0038_0__zh-cn_topic_0000001792344098_table1688015148293"></a><a name="zh-cn_topic_0000001792344098_table1688015148293"></a><table cellpadding="4" cellspacing="0" summary="" id="nas_s_0038_0__zh-cn_topic_0000001792344098_table1688015148293" frame="border" border="1" rules="all"><caption><b>表1 </b>IPsec策略参数说明</caption><colgroup><col style="width:24.07%"><col style="width:75.92999999999999%"></colgroup><thead align="left"><tr id="nas_s_0038_0__zh-cn_topic_0000001792344098_row148809148293"><th align="left" class="cellrowborder" valign="top" width="24.07%" id="mcps1.3.3.2.3.2.1.3.3.2.3.1.1"><p id="nas_s_0038_0__zh-cn_topic_0000001792344098_p17880214122914">参数名称</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="75.92999999999999%" id="mcps1.3.3.2.3.2.1.3.3.2.3.1.2"><p id="nas_s_0038_0__zh-cn_topic_0000001792344098_p38809143293">参数说明</p>
</th>
</tr>
</thead>
<tbody><tr id="nas_s_0038_0__zh-cn_topic_0000001792344098_row1588010144293"><td class="cellrowborder" valign="top" width="24.07%" headers="mcps1.3.3.2.3.2.1.3.3.2.3.1.1 "><p id="nas_s_0038_0__zh-cn_topic_0000001792344098_p12788144711440">名称</p>
</td>
<td class="cellrowborder" valign="top" width="75.92999999999999%" headers="mcps1.3.3.2.3.2.1.3.3.2.3.1.2 "><p id="nas_s_0038_0__zh-cn_topic_0000001792344098_p7787154734410">IPsec策略的名称。</p>
</td>
</tr>
<tr id="nas_s_0038_0__zh-cn_topic_0000001792344098_row1330314544416"><td class="cellrowborder" valign="top" width="24.07%" headers="mcps1.3.3.2.3.2.1.3.3.2.3.1.1 "><p id="nas_s_0038_0__zh-cn_topic_0000001792344098_p19786124711440">远端IP地址</p>
</td>
<td class="cellrowborder" valign="top" width="75.92999999999999%" headers="mcps1.3.3.2.3.2.1.3.3.2.3.1.2 "><p id="nas_s_0038_0__zh-cn_topic_0000001792344098_p748615262717">复制链路上从端存储设备的复制网络IP地址。</p>
<p id="nas_s_0038_0__zh-cn_topic_0000001792344098_p1776619474444">仅支持IPv4，最多支持输入32个IP地址，多个IP地址以英文分号、空格或按回车键分隔。</p>
<div class="note" id="nas_s_0038_0__zh-cn_topic_0000001792344098_note08068289815"><span class="notetitle"> 说明： </span><div class="notebody"><p id="nas_s_0038_0__zh-cn_topic_0000001792344098_p1806152817819">IPsec策略创建成功后，后续您也可以通过修改IPsec操作添加新的IP地址或删除已有IP地址。</p>
</div></div>
</td>
</tr>
<tr id="nas_s_0038_0__zh-cn_topic_0000001792344098_row12535134518443"><td class="cellrowborder" valign="top" width="24.07%" headers="mcps1.3.3.2.3.2.1.3.3.2.3.1.1 "><p id="nas_s_0038_0__zh-cn_topic_0000001792344098_p3535154584414">加密算法</p>
</td>
<td class="cellrowborder" valign="top" width="75.92999999999999%" headers="mcps1.3.3.2.3.2.1.3.3.2.3.1.2 "><p id="nas_s_0038_0__zh-cn_topic_0000001792344098_p1536445194420">数据加密传输所使用的加密算法。复制链路两端的加密算法需要保持一致。数据加密算法包括：AES和SM4。</p>
<div class="note" id="nas_s_0038_0__zh-cn_topic_0000001792344098_note717731711919"><span class="notetitle"> 说明： </span><div class="notebody"><p id="nas_s_0038_0__zh-cn_topic_0000001792344098_p117731720191">某些产品型号不支持设置加密算法，请以实际界面展示为准。对于不支持设置加密算法的型号，默认使用AES算法进行加密。</p>
</div></div>
</td>
</tr>
<tr id="nas_s_0038_0__zh-cn_topic_0000001792344098_row1267015458442"><td class="cellrowborder" valign="top" width="24.07%" headers="mcps1.3.3.2.3.2.1.3.3.2.3.1.1 "><p id="nas_s_0038_0__zh-cn_topic_0000001792344098_p56701145124418">预共享密钥</p>
</td>
<td class="cellrowborder" valign="top" width="75.92999999999999%" headers="mcps1.3.3.2.3.2.1.3.3.2.3.1.2 "><p id="nas_s_0038_0__zh-cn_topic_0000001792344098_p84261148269">自定义预共享密钥，复制链路两端的预共享密钥需要保持一致。</p>
<p id="nas_s_0038_0__zh-cn_topic_0000001792344098_p14670650612">[取值范围]</p>
<ul id="nas_s_0038_0__zh-cn_topic_0000001792344098_ul567085762"><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_li76705510612">长度范围是16~127位。</li><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_li196701553613">至少包含特殊字符、大写字母、小写字母以及数字中的任意两种。特殊字符包括：!"#$%&amp;'()*+,-./:;&lt;=&gt;?@[\]^`{_|}~和空格。</li></ul>
</td>
</tr>
</tbody>
</table>
</div>
</li><li id="nas_s_0038_0__zh-cn_topic_0000001792344098_li159813261107">单击<span class="uicontrol" id="nas_s_0038_0__zh-cn_topic_0000001792344098_uicontrol165011712112720">“确定”</span>。<div class="note" id="nas_s_0038_0__zh-cn_topic_0000001792344098_note12248146121112"><img src="public_sys-resources/note_3.0-zh-cn.png"><span class="notetitle"> </span><div class="notebody"><p id="nas_s_0038_0__zh-cn_topic_0000001792344098_p15167204592113">如果后续您需要删除不再使用的IPsec策略，请分别在两端存储设备删除。先在一端存储设备删除后，复制业务会断开，另外一端删除后，复制业务将自动恢复。因此，建议您在没有复制业务时执行删除IPsec策略的操作，并且删除一端的IPsec策略后立即删除另外一端的IPsec策略。</p>
</div></div>
</li></ol>
</p></li></ol>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>父主题：</strong> <a href="nas_s_0035_0.html">复制NDMP NAS文件系统</a></div>
</div>
</div>

<div class="hrcopyright"><hr size="2"></div><div class="hwcopyright">版权所有 &copy; 华为技术有限公司</div></body>
</html>